Available Zones

The following table summarizes the zones that can be queried, the Spamhaus databases they are connected to, and the possible return codes (represented by A records in the answers to DNS lookups, and by numeric response codes in HTTP lookup replies).

The last two return codes are associated with invalid DQS keys and apply to any query made using such keys.

Return Codes

DNSBLs return one or more A records for positive replies.
Each returned A record (associated with a different IP) is used to represent a specific message.
Return codes provided by the HTTP API are 1-to-1 mapped to such A records.

Zone Type Database Return Codes
sbl IP SBL * 127.0.0.2 (1002) - SBL
* 127.0.0.3 (1003) - CSS (automated)
* 127.0.0.9 (1009) - DROP (always in addition to SBL)
* 127.0.0.8 (1008) - currently unused
* 127.0.0.30 (1030) - BCL
xbl IP XBL * 127.0.0.4 (1004) - XBL
* from 127.0.0.5 (1005) to .7 (1007) - currently unused
sbl-xbl IP SBL+
XBL
* 127.0.0.2 (1002) - SBL
* 127.0.0.3 (1003) - CSS
* 127.0.0.9 (1009) - DROP
* 127.0.0.4 (1004) - XBL
(see details above)
* 127.0.0.30 (1030) - BCL
pbl IP PBL * 127.0.0.10 (1010) - entry maintained by ISP
* 127.0.0.11 (1011) - entry maintained by Spamhaus
zen IP SBL+
XBL+
PBL
* 127.0.0.2 (1002) - SBL
* 127.0.0.3 (1003) - CSS
* 127.0.0.9 (1009) - DROP
* 127.0.0.4 (1004) - XBL
* 127.0.0.10 (1010) - PBL
* 127.0.0.11 (1011) - PBL
(see details above)
* 127.0.0.30 (1030) - BCL
authbl IP AuthBL * 127.0.0.20 (1020) - AuthBL
dbl Domain DBL * 127.0.1.2 (2002) - low-reputation domain
* 127.0.1.4 (2004) - phishing-related domain
* 127.0.1.5 (2005) - malware-related domain
* 127.0.1.6 (2006) - botnet C&C domain
* 127.0.1.102 (2102) - abused-legit domain
* 127.0.1.103 (2103) - abused redirector
* 127.0.1.104 (2104) - abused domain used in phishing
* 127.0.1.105 (2105) - abused domain used by malware
* 127.0.1.106 (2106) - abused domain hosting C&C
* 127.0.1.255 - ERROR: IP queries not allowed (DNS only)
zrd Domain ZRD * 127.0.2.2 (3002) - domain first seen from 0 to 2 hours ago
* 127.0.2.3 (3003) - domain first seen from 2 to 3 hours ago
* […]
* 127.0.2.24 (3024) - domain first seen from 23 to 24 hours ago
* 127.0.2.255 - ERROR: IP queries not allowed (DNS only)
hbl SHA256
or SHA1
Hash
HBL In _file context:
* 127.0.3.10 (4010) - Malware file
* 127.0.3.15 (4015) - Suspicious file
In _cw context:
* 127.0.3.20 (4020) - CryptoWallet address observed in spam
In _email context:
* 127.0.3.2 (4002) - Email address observed in spam
In _url context:
* 127.0.3.30 (4030) - URL observed in spam.
ANY IP,
Domain
none * 127.255.255.250 (256250) - ERROR: DQS key disabled
* 127.255.255.251 (256251) - ERROR: DQS key illegally used
* 127.255.255.252 (no HTTP API) - typing error in DNSBL name